chrooting vsftpd

kemu · 05-05-2003, 12:55 PM

Hey
I've installed vsftpd on my redhat system.
When a normal user log's in he can browser almost my whole hd.
I would like him only to be able to move around in his own homedir.
How can I do this ?

david_ross · 05-05-2003, 02:18 PM

Take a look at my post here:
http://www.linuxquestions.org/questi...961#post293961

unSpawn · 05-05-2003, 02:20 PM

Hello and welcome to LQ.
For starters have a look at this thread (we've got excellent search facilities here at LQ) and your vsftpd docs.

kemu · 05-05-2003, 02:35 PM

sorry should have asked my question a bit better.
What I mean is I have a user chrooted using jailchroot, under /var/chroot/home/chroottest. I did this to secure users loggin in by ssh.
Now the user chroottest can't login by ftp using vsftpd I allways get wrong passwd. How can I make sure chrooted users using chrootjail can login by ftp using vsftpd ?
An other thin about chrootjail. Users still can move around in the "/" dir view files ...
I know there is a way to stop users from doing that only don't know how ...
I know it has something to do with groups is there any article that deals about these things ... so in example if a jail chrooted user does "ls /" he gets permission denied

unSpawn · 05-06-2003, 06:42 AM

What I mean is I have a user chrooted using jailchroot, under /var/chroot/home/chroottest. I did this to secure users loggin in by ssh. Now the user chroottest can't login by ftp using vsftpd I allways get wrong passwd. How can I make sure chrooted users using chrootjail can login by ftp using vsftpd ?
Not a direct answer to your question, but if you only use "chrootjail" to isolate a Ssh user, there is a patch[1] to OpenSSH that can chroot users. That would help avoid conflicts with other apps because for instance it doesn't need modification of /etc/passwd data.

If you want to work things out with your current setup then you need to fix the authentication stuff. Login and look in the vsftpd log for errors, else make it log in verbose or debug mode, else run it through strace to look for errors: "strace -v -o /tmp/strace.log /path/to/vsftp <vsftpargs>". Then post your vsftp configs, logfile, errors and the strace log running vsftp.

Else look at vsftpd's "virtual users" option which supposedly doesn't need /etc/passwd (I think the error is there or with PAM) and such at all. Look in the docs under EXAMPLE/VIRTUAL_USERS_2/README.

An other thin about chrootjail. Users still can move around in the "/" dir view files ...
If you're sure[2], then you made a configuration error.
AFAIK you should review your setup in /etc/passwd.

I know there is a way to stop users from doing that only don't know how ...
I know it has something to do with groups is there any article that deals about these things ... so in example if a jail chrooted user does "ls /" he gets permission denied
No. A chrooted user is never denied access to root ("/"), because they need access to system binary dirs like /bin and /usr/bin.
A chroot that's set up properly contains a "mirror" of the root filesystem including for instance authentication files in </chroot dir>/etc, libs in </chroot dir>/lib and the necessary binaries.
That's why I favour "jail": it set's up the basic chroot I only have to tweak, like for instance replacing Bash and GNU utils with busybox.

Also please note the 1st thread in this forum contains some handy references on security in general, including chrooting etc etc.

[1] Chrooting OpenSSH:
http://chrootssh.sourceforge.net/patches/
http://mail.incredimail.com/howto/openssh/
http://debian.chains.ch/chroot/chroot.html

[2] amIJailedOrWhat.c

Code:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>

int main(int argc, char **argv) {
  struct stat x;

  if (stat("/", &x)) {
    printf("Unable to stat /");
    exit(EXIT_FAILURE);
  }

  if (x.st_ino==2) {
    printf("Account is NOT chrooted.\n");
  } else {
    printf("Account is chrooted OK.\n");
  }
  exit(EXIT_SUCCESS);
}